New draft European data protection regime

02. Februar 2012

New draft European data protection regime to apply also to all US companies processing data of European residents

On 25 January 2012, the European Commission unveiled a draft legislative package to establish a unified European data protection law. The package includes a draft "General Data Protection Regulation" (the "Regulation") that will be directly applicable in all member states of the European Union ("EU") replacing the patchwork of different data protection laws currently in force in the different member states.

Summary

The proposed new EU data protection regime extends the scope of the EU data protection law to all foreign companies processing data of EU residents. It provides for a harmonization of the data protection regulations throughout the EU, thereby making it easier for US companies to comply with these regulations; however, this comes at the cost of a strict data protection compliance regime with severe penalties of up to 2 % of worldwide turnover.

The Objectives Of The European Commission

The European Commissioner for Justice, Fundamental Rights and Citizenship, Ms. Viviane Reding, in a speech at the Digital Life Design summit here in Munich on 23 January 2012 outlined that the European Commission’s proposal will give EU companies a competitive advantage globally, as the Regulation would provide for

a harmonized pan-EU regulation, replacing the existing patchwork of 27 national regulations;

an improvement of the current system of binding corporate rules for a save transfer of data outside the EU;

a regime allowing better control over individual’s data.

Proposed Changes To The Data Protection Law

Highlighted in the draft Regulation we find the following remarkable changes to the data protection regime currently in force in Germany and the EU:

a) The EU data protection regulation will also apply for all non-EU companies without any establishment in the EU, provided that the processing of data is directed at EU residents. This may force for example US companies not only to comply with EU law, but also to establish a data protection management, for example by appointing an “European” data protection officer.

b) As a general rule, any processing of personal data will require providing clear and simple information to concerned individuals as well as obtaining specific and explicit consent by such individuals for the processing of their data (Opt-in), other than in cases in which the data protection regime explicitly allows the processing of personal data.

c) The Regulation will make a safe transfer of data outside of the EU (including the procession of data in clouds) easier in the event that the parties involved commit themselves to binding corporate rules.

d) New privacy rights, including data subject's "right of portability" and the "right to be forgotten", will be established in the EU. The "right of portability" will allow a transfer of all data from one provider to another upon request, for example transfer of a social media profile or email, whereas the "right to be forgotten" will allow people to wipe the history clean.

e) The processing of data of individuals under the age of 13 will in general require parental consent, which will make it more difficult for companies to conduct business which is aiming at minors.

f) All companies will be obligated to notify EU data protection authorities as well as the individuals whose data are concerned by any breaches of data protection regulations or data leaks without undue delay, that is within 24 hours.

g) A harsh sanction regime will be established in case of breach of the unified EU data protection law allowing data protection authorities to impose penalties of up to 2 % of a company’s worldwide turnover in case of severe data protection breaches.

Outlook

The lawmaking process within the EU is known for its tardiness. The prior Data Protection Directive of 1995 was stuck in the lawmaking process for more than two years. We therefore expect the Regulation to come into force in the medium term only, which will give all lobby groups and think tanks enough time to try to engage lawmakers to change or amend the draft Regulation.